Cyber Attack Targets Daemon Tools: Backdoor Threatens 100 Organizations Globally

A sophisticated supply-chain attack has compromised the widely-used Daemon Tools disk application, affecting approximately 100 organizations across Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China.

The infection, which Kaspersky researchers detailed in a recent report, involved replacing a legitimate Daemon Tools installer with a backdoored version. This allowed attackers to deploy follow-on payloads to about a dozen high-value targets, including a minimalistic backdoor capable of executing commands, downloading files, and running shellcode payloads in memory to evade detection.

In one case, Kaspersky observed a more complex backdoor named QUIC RAT, installed on a single machine at an educational institution in Russia. This malware can inject payloads into legitimate system processes like notepad.exe and conhost.exe, and communicates using multiple protocols: HTTP, UDP, TCP, WSS, QUIC, DNS, and HTTP/3.

Kaspersky noted that 10% of affected systems belong to businesses. The more sophisticated backdoor appeared only on a dozen machines belonging to government, scientific, manufacturing, and retail organizations in Russia, Belarus, and Thailand. Researchers believe the selective deployment indicates targeted intentions, though whether the goal is cyberespionage or financial extortion remains unclear.

The security firm's visibility is limited to telemetry from its own products, suggesting the actual scope may be broader.

Users of Daemon Tools are advised to scan their machines fully with reputable antivirus software. Windows users should check for indicators of compromise detailed in Kaspersky's post. Advanced users should monitor for suspicious code injections into legitimate system processes launched from directories like Temp, AppData, or Public.